ArcGIS Online Security Overview
ArcGIS Online SM
Security Overview
ArcGIS Online is a secure, reliable Geographic Information System (GIS) delivered using the Software as a Service (SaaS) model. ArcGIS Online services are elastic, available on demand, managed by Esri, and accessed by clients running on a wide range of platforms and can be shared and utilized by many customers while offering security benefits. SM
Built Using Secure Design Principles Esri’s security strategy is based on an industry-standard, defense-in-depth approach that provides security controls at every level, for every user, including the application, network, and facilities. Adherence to these security principles helps ensure that ArcGIS Online provides confidentiality, integrity, and availability of data.
Secure Operations • Background investigations are performed against all employees. • Access to customer database information is limited to select operation team members. • Operations/availability transparency web pages at: status.arcgis.com
Encrypted Communication • User identity is established through a login process that always takes place over HTTPS to ensure industrystandard encryption of sensitive information. • Subsequent access requires authentication tokens over HTTP or HTTPS, chosen by the administrator.
You Retain Ownership • Ownership—Customers retain intellectual property rights for data they publish through Esri cloud offerings. Esri and third-party data can be incorporated into web applications using ArcGIS Online, Esri Business Analyst Online , and others. SM
• Multitenancy—Each data record within multitenant storage is stamped with the ID of the owning subscription to ensure organization data is accessible only by the organization’s users. • Features—Each organization has its own logically separate database, providing isolation of stored features. • Extract—Data publishers can extract and download data back to their organization via shapefiles or CSVs. Also, the original publication package can be downloaded back to an organization. • Deletion—The data owner controls when and what to delete, whether it’s removal of features or the publication package. Deleted information is not left in a recycle bin; once the owner deletes it, it’s gone.
Configurable Application Security ArcGIS Online has the flexibility to meet any organization’s security needs. ArcGIS Online application security features include the following: • Roles—Three ArcGIS Online organization roles exist— user, publisher, and administrator. -- Users can add items, create web maps, share content, and participate in groups. -- Publishers are users that can publish hosted services from feature or tiled map data. -- Administrators utilize a web-based administration interface to manage users, groups, permissions, and organization-wide security features: -- Easily configure Secure Sockets Layer (SSL) to enforce confidentiality of all information as it crosses the Internet. -- Restrict anonymous access to organization data. • Sharing—User-added content is only accessible by users and groups that users explicitly share the content with. By default, items are private and only accessible by the user adding content. • Server—Secured ArcGIS® 10 for Server Service Pack 1 (SP1) and later services can be incorporated into maps.
On-Premises Advanced Security Option
• Development—ArcGIS Online utilizes software development coding best practice techniques: the use of static code analysis software, testing/code review, and more.
Some organizations require segmentation of their solution from the Internet or do not allow distributed multitenant environments such as ArcGIS Online. The on-premises Portal for ArcGIS meets this requirement of high security needs by running inside corporate firewall environments.
• Audit—Data modifications and administrative actions are stored in audit logs.
Summary
Upcoming Security Features • Integration—Federated identity management / Enterprise directory integration (SAML, LDAP, ADFS) • Certification—ArcGIS Online uses cloud infrastructure that is ISO 27001 and SAS 70 Type 2 compliant. ArcGIS Online application compliance with government FISMA security certification is underway. • Privacy—Currently assessing alignment with additional privacy standards such as SafeHarbor.
Moving geospatial services to the cloud requires serious consideration of security issues and technology. Cloud computing is indeed complex; however, by utilizing a secure backbone of both industry-leading cloud providers and geospatial services, ArcGIS Online is able to provide the security organizations need. For more detail on a specific area, contact the enterprise security team at [email protected]. For more information on Esri’s approach to Enterprise Security, visit resources. arcgis.com/content/enterprisegis/10.0/security.
For more information, visit arcgis.com/about/features Copyright © 2012 Esri. All rights reserved. Esri, the Esri globe logo, ArcGIS Online, ArcGIS, Business Analyst Online, @esri.com, and esri.com are trademarks, service marks, or registered marks of Esri in the United States, the European Community, or certain other jurisdictions. Other companies and products or services mentioned herein may be trademarks, service marks, or registered marks of their respective mark owners.
G54696
ESRIxxx/12dm
Security Overview
ArcGIS Online is a secure, reliable Geographic Information System (GIS) delivered using the Software as a Service (SaaS) model. ArcGIS Online services are elastic, available on demand, managed by Esri, and accessed by clients running on a wide range of platforms and can be shared and utilized by many customers while offering security benefits. SM
Built Using Secure Design Principles Esri’s security strategy is based on an industry-standard, defense-in-depth approach that provides security controls at every level, for every user, including the application, network, and facilities. Adherence to these security principles helps ensure that ArcGIS Online provides confidentiality, integrity, and availability of data.
Secure Operations • Background investigations are performed against all employees. • Access to customer database information is limited to select operation team members. • Operations/availability transparency web pages at: status.arcgis.com
Encrypted Communication • User identity is established through a login process that always takes place over HTTPS to ensure industrystandard encryption of sensitive information. • Subsequent access requires authentication tokens over HTTP or HTTPS, chosen by the administrator.
You Retain Ownership • Ownership—Customers retain intellectual property rights for data they publish through Esri cloud offerings. Esri and third-party data can be incorporated into web applications using ArcGIS Online, Esri Business Analyst Online , and others. SM
• Multitenancy—Each data record within multitenant storage is stamped with the ID of the owning subscription to ensure organization data is accessible only by the organization’s users. • Features—Each organization has its own logically separate database, providing isolation of stored features. • Extract—Data publishers can extract and download data back to their organization via shapefiles or CSVs. Also, the original publication package can be downloaded back to an organization. • Deletion—The data owner controls when and what to delete, whether it’s removal of features or the publication package. Deleted information is not left in a recycle bin; once the owner deletes it, it’s gone.
Configurable Application Security ArcGIS Online has the flexibility to meet any organization’s security needs. ArcGIS Online application security features include the following: • Roles—Three ArcGIS Online organization roles exist— user, publisher, and administrator. -- Users can add items, create web maps, share content, and participate in groups. -- Publishers are users that can publish hosted services from feature or tiled map data. -- Administrators utilize a web-based administration interface to manage users, groups, permissions, and organization-wide security features: -- Easily configure Secure Sockets Layer (SSL) to enforce confidentiality of all information as it crosses the Internet. -- Restrict anonymous access to organization data. • Sharing—User-added content is only accessible by users and groups that users explicitly share the content with. By default, items are private and only accessible by the user adding content. • Server—Secured ArcGIS® 10 for Server Service Pack 1 (SP1) and later services can be incorporated into maps.
On-Premises Advanced Security Option
• Development—ArcGIS Online utilizes software development coding best practice techniques: the use of static code analysis software, testing/code review, and more.
Some organizations require segmentation of their solution from the Internet or do not allow distributed multitenant environments such as ArcGIS Online. The on-premises Portal for ArcGIS meets this requirement of high security needs by running inside corporate firewall environments.
• Audit—Data modifications and administrative actions are stored in audit logs.
Summary
Upcoming Security Features • Integration—Federated identity management / Enterprise directory integration (SAML, LDAP, ADFS) • Certification—ArcGIS Online uses cloud infrastructure that is ISO 27001 and SAS 70 Type 2 compliant. ArcGIS Online application compliance with government FISMA security certification is underway. • Privacy—Currently assessing alignment with additional privacy standards such as SafeHarbor.
Moving geospatial services to the cloud requires serious consideration of security issues and technology. Cloud computing is indeed complex; however, by utilizing a secure backbone of both industry-leading cloud providers and geospatial services, ArcGIS Online is able to provide the security organizations need. For more detail on a specific area, contact the enterprise security team at [email protected]. For more information on Esri’s approach to Enterprise Security, visit resources. arcgis.com/content/enterprisegis/10.0/security.
For more information, visit arcgis.com/about/features Copyright © 2012 Esri. All rights reserved. Esri, the Esri globe logo, ArcGIS Online, ArcGIS, Business Analyst Online, @esri.com, and esri.com are trademarks, service marks, or registered marks of Esri in the United States, the European Community, or certain other jurisdictions. Other companies and products or services mentioned herein may be trademarks, service marks, or registered marks of their respective mark owners.
G54696
ESRIxxx/12dm
